Since September 2018 (MDL-63346):

1. This policy will be applied to ALL supported branches, normal and security-only.
2. This policy won't update any tool per se, unless strictly needed by nodejs/npm own dependencies/changes. It won't include npm audit changes either. Those are handled apart. So, normally, only changes to .nvmrc and package.json will happen. That will be achieved by:
   1. update .nvmrc to the new version.
   2. run nvm install && nvm alias default node && nvm use to install, set it as new default and use it for the next steps.
   3. update package.json and set engines to the new restriction (>= new version and < next major).
3. When needed to bump components or run some audit, a new issue, similar to this, will be created and these steps performed in order to get a renewed npm-shrinkwrap.json file:
   1. remove node_modules & npm-shrinkwrap.json
   2. npm cache clear --force
   3. npm install
   4. npm shrinkwrap
4. In any case, simple update or complete components bump, run grunt and verify that all the generated css/js/map stuff remains the same. If there are differences in the generation... it will need to be analysed and decided if:
   1. accepted (so everything, shrinkwrap  and generated css/js/map) lands [or]
   2. not accepted (and only change .nvmrc and package.json) instead).
5. The resulting branches will be sent to github (or similar), making a peer-review request here so both GHA and cibot will verify that all them pass ok.
6. Changes will be normally integrated and the NodeJSVersion template and NodeJSExactVersion templates will be updated with latest information in the Docs.
7. TODO (MDLSITE-5536): A job @ CI servers will be, daily, using latest lts/current version to detect if there are npm-shrinkwrap.json changes. It will fail when that happens and inform integrators. Jumps to lts/next will be detected manually,.